Manage 2-factor settings
┌────────────────────────────────────────────────────────────────────────────┐
│ 2-factor Authentication Settings │
└────────────────────────────────────────────────────────────────────────────┘
┌─┬──────────────────────────────────────────────────────────────────────────┐
│1│View or Change the Yubikey HMAC │
│2│View or Change the Yubikey validation host URL │
│3│View or Change the Yubikey sync pool │
│4│View or Change the Yubikey allowed sync hosts │
│5│Manage the YubiHSM settings │
│6│Manage TOTP settings │
└─┴──────────────────────────────────────────────────────────────────────────┘
Move the cursor or enter a it's corresponding number (Q to Quit)
Main> Provisioning> 2-Factor>
View or Change the Yubikey HMAC
In cryptography, a keyed-hash message authentication code (HMAC) is a specific construction for calculating a message authentication code (MAC) involving a cryptographic hash function in combination with a secret cryptographic key. As with any MAC, it may be used to simultaneously verify both the data integrity and the authentication of a message.
The secret cryptographic key used for the Yubikey HMAC needs to be in base64 format. You can either specifiy it manually or let the appliance generate random string which will be base64 encoded, if you type a single dot (“.”) as the sole input.
Manage the Yubikey HMAC
Yubikey HMAC in base64 format? (. to generate or Q to Quit) <FIXME>: .
Yubikey HMAC in base64 format? (. to generate or Q to Quit) <RTN6NVc0bWRPbzdlRmFMSA==>:
Press any key to continue
View or Change the Yubikey validation host URL
Manage the Yubikey validation host URL
To validate Yubico OTP as transmitted by Yubikeys when logging in, a validation
server (or service) is required.
Current validation server is set to: Local (Private YubiCloud) - "127.0.0.1/wsapi/2.0/verify.php"
Validation servers are either:
- Local, Private YubiCloud (Requires on-prem YubiHSMv1).
- Remote, using the Public YubiCloud validation service.
- Requires direct public access to to https://api.yubicloud.com
(Currrently no explicit HTTP proxy is supported)
Valid choices are:
1) Use a local validation server (Private YubiCloud).
2) Use YubiCo's Public YubiCloud validation service.
3) Enter a custom URL for accessing the validation service/server.
Choose 1, 2 or 3? (Q to Quit) <2>: 1
Set to LOCAL validation (Private YubiCloud).
View or Change the Yubikey sync pool
Current seting is $baseParams['__YKVAL_SYNC_POOL__'] = array();
Syntax is:
Single host: "https://host.domain.tld/wsapi/2.0/sync.php"
Multiple hosts: "https://host1.domain.tld/wsapi/2.0/sync.php","https://host2.domain.tld/wsapi/2.0/sync.php"
Sync Hosts: (Press . to reset to no pool or Q to Quit) <>:
View or Change the Yubikey allowed sync hosts
Current seting is $baseParams['__YKVAL_ALLOWED_SYNC_POOL__'] = array();
Syntax is (must be ip addresses):
Single host: "10.1.2.3"
Multiple hosts: "10.1.2.3","10.1.2.4","10.1.2.5"
Allowed Sync Hosts: (Press . to reset to no pool or Q to Quit) <>:
Manage the YubiHSM settings
┌────────────────────────────────────────────────────────────────────────────┐
│ 2-factor Authentication Settings │
└────────────────────────────────────────────────────────────────────────────┘
┌─┬──────────────────────────────────────────────────────────────────────────┐
│1│Add more Yubikeys to the YubiHSM │
└─┴──────────────────────────────────────────────────────────────────────────┘
Move the cursor or enter a it's corresponding number (Q to Quit)
Main> Provisioning> 2-Factor> HSM>
Then this file is ready for provisioning into the HSM, using the menu option Manage the YubiHSM settings
Add more Yubikeys to the YubiHSM
Insert a USB disk and press enter when ready. Ready? (<Y>/n):
Available files in /mnt/usb:
yubikeys.txt
yubikeys.txt.sign
Enter filename of the file containing new keys (Q to Quit) <yubikeys.txt>:
Install the new Yubikeys from "yubikeys.txt" into the YubiHSM? (<Y>/n):
Manage TOTP Settings
TOTP Settings
You can change the TOTP issuer to better suite your needs. Currently StoredSafe
uses two issuers, one generic issuer and one for users with TOTP only for 2FA.
Issuer: StoredSafe
Issuer (2FA): StoredSafe 2FA
Set generic issuer to? (Q to Quit) <StoredSafe>: stored.safe.cc
Set 2FA issuer to? (Q to Quit) <StoredSafe 2FA>: stored.safe.cc 2FA
Save changes? (<Y>/n): n
Press any key to continue